我想用 iptables 设置基本的防火墙规则。目标是拒绝每个 IP 的洪水请求。例如“ab -n 100000 -c 1000”
只有 2 条规则:
iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m limit --limit 100/s --limit-burst 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i eth0 -j LOG --log-prefix "__test__"
但是当我使用“sort”和“uniq -c”来 grep iptables log 时,我看到很多类似的 IP:
1 SRC=173.252.77.112
1 SRC=173.252.114.116
1 SRC=173.252.114.114
1 SRC=173.252.114.113
“-m state --state NEW” 只对新建连接有效吗?那为什么日志中会出现请求数少的 IP?
请指教。
答案1
最后解决办法是:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m hashlimit --hashlimit 1000/sec --hashlimit-burst 5000 --hashlimit-mode dstip --hashlimit-name hosts -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j REJECT
不阻止 SE 爬虫数据包并抵御 http 洪水,例如:ab -n 1000 -c 100 http://{host}/
答案2
是的,问题中详述的方法仅通过单位时间内的新连接数来工作,而无需了解建立连接的 IP 地址。在来自少数 IP 地址的连接量较大的情况下,该方法是有缺陷的,因为它实际上增加了合法访问者连接被阻止的可能性。
我使用一种方法,一旦检测到“坏人”IP 地址,就会将其禁止一天。由于最近模块命中次数的默认限制(可以更改,但我没有更改),该方法使用多个表,并从一个表“进位”到另一个表。正确的设置既可以合理地尽快触发“坏人”,又可以避免“好人”误报,这将因站点而异,并且需要一些时间。首先,在 INPUT 链中的正常位置:
# If required, go to NEW HTTP connection sub-routine
#
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j http-new-in
在脚本的早些时候,我有这样的代码:
#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# http-new-in3
#
# A NEW Connection on port 80 part 3.
#
# carry forward to the actual banned list:
# Increment this count. Leave the previous count.
#
# Custom tables must exist before being referenced, hence the order
# of these sub-toutines.
#
$IPTABLES -N http-new-in3
$IPTABLES -A http-new-in3 -m recent --remove --name HTTP_02
$IPTABLES -A http-new-in3 -m recent --update --hitcount 1 --seconds 86400 --name HTTP_BAN -j http-new-in4
$IPTABLES -A http-new-in3 -m recent --set --name HTTP_BAN
$IPTABLES -A http-new-in3 -j LOG --log-prefix "BAN80:" --log-level info
$IPTABLES -A http-new-in3 -j DROP
#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# http-new-in2
#
# A NEW Connection on port 80 part 2.
#
# carry forward from previous max new connections per unit time:
# Increment this count and clear the lesser significant count.
#
$IPTABLES -N http-new-in2
$IPTABLES -A http-new-in2 -m recent --remove --name HTTP_01
$IPTABLES -A http-new-in2 -m recent --update --hitcount 3 --seconds 720 --name HTTP_02 -j http-new-in3
$IPTABLES -A http-new-in2 -m recent --set --name HTTP_02
$IPTABLES -A http-new-in2 -j LOG --log-prefix "CARRY80:" --log-level info
$IPTABLES -A http-new-in2 -j ACCEPT
#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# http-new-in
#
# A NEW Connection on port 80:
#
$IPTABLES -N http-new-in
echo Allowing EXTERNAL access to the WWW server
# . check the static blacklist.
#
$IPTABLES -A http-new-in -i $EXTIF -s 5.248.83.0/24 -j DROP
$IPTABLES -A http-new-in -i $EXTIF -s 91.200.0.0/20 -j DROP
... deleted big list of ip addresses ...
$IPTABLES -A http-new-in -i $EXTIF -s 82.80.0.0/16 -j DROP
# . check the dynamic banned list
#
# The 1 Hour banned list (bumped to more than a day):
$IPTABLES -A http-new-in -m recent --update --seconds 90000 --name HTTP_BAN --rsource -j LOG --log-prefix "LIM80:" --log-level info
$IPTABLES -A http-new-in -m recent --update --seconds 90000 --name HTTP_BAN --rsource -j DROP
# A generic log entry. Usually only during degugging
#
#$IPTABLES -A http-new-in -j LOG --log-prefix "NEW80ALL:" --log-level info
# Dynamic Badguy List. Least significant hit counter. Detect and DROP Bad IPs that do excessive connections to port 80.
#
$IPTABLES -A http-new-in -m recent --update --hitcount 20 --seconds 240 --name HTTP_01 -j http-new-in2
$IPTABLES -A http-new-in -m recent --set --name HTTP_01
$IPTABLES -A http-new-in -j LOG --log-prefix "NEW80:" --log-level info
$IPTABLES -A http-new-in -j ACCEPT
该方法改编自参考。